Djam/libreoffice
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/libreoffice.git synced 2025-02-23 18:43:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
libreoffice/CVE-2019-9849.patch

142 lines
6.2 KiB
Diff
Raw Permalink Normal View History

Fix CVE-2019-9848, CVE-2019-9849
2019-07-31 02:21:50 +03:00
Description: More uses of referer URL with SvxBrushItem
Author: Stephan Bergmann <sbergman@redhat.com>
Upstream Commit: https://cgit.freedesktop.org/libreoffice/core/commit/?id=b518882de8213ef71a8003f95fbdf7689069c06d
Bug: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9849/
diff --git a/sw/inc/unosett.hxx b/sw/inc/unosett.hxx
index 295eb06fe..185b5bcb4 100644
--- a/sw/inc/unosett.hxx
+++ b/sw/inc/unosett.hxx
@@ -210,7 +210,7 @@ public:
static css::uno::Sequence<css::beans::PropertyValue> GetPropertiesForNumFormat(
const SwNumFormat& rFormat, OUString const& rCharFormatName,
- OUString const* pHeadingStyleName);
+ OUString const* pHeadingStyleName, OUString const & referer);
static void SetPropertiesToNumFormat(
SwNumFormat & aFormat,
OUString & rCharStyleName,
diff --git a/sw/source/core/text/porfld.cxx b/sw/source/core/text/porfld.cxx
index 777165819..b29cee3b5 100644
--- a/sw/source/core/text/porfld.cxx
+++ b/sw/source/core/text/porfld.cxx
@@ -755,7 +755,7 @@ SwBulletPortion::SwBulletPortion( const sal_Unicode cBullet,
SwGrfNumPortion::SwGrfNumPortion(
const OUString& rGraphicFollowedBy,
- const SvxBrushItem* pGrfBrush,
+ const SvxBrushItem* pGrfBrush, OUString const & referer,
const SwFormatVertOrient* pGrfOrient, const Size& rGrfSize,
const bool bLft, const bool bCntr, const sal_uInt16 nMinDst,
const bool bLabelAlignmentPosAndSpaceModeActive ) :
@@ -769,7 +769,7 @@ SwGrfNumPortion::SwGrfNumPortion(
if( pGrfBrush )
{
*pBrush = *pGrfBrush;
- const Graphic* pGraph = pGrfBrush->GetGraphic();
+ const Graphic* pGraph = pGrfBrush->GetGraphic(referer);
if( pGraph )
SetAnimated( pGraph->IsAnimated() );
else
diff --git a/sw/source/core/text/porfld.hxx b/sw/source/core/text/porfld.hxx
index 38fc08993..4ecf25e7d 100644
--- a/sw/source/core/text/porfld.hxx
+++ b/sw/source/core/text/porfld.hxx
@@ -168,6 +168,7 @@ class SwGrfNumPortion : public SwNumberPortion
public:
SwGrfNumPortion( const OUString& rGraphicFollowedBy,
const SvxBrushItem* pGrfBrush,
+ OUString const & referer,
const SwFormatVertOrient* pGrfOrient,
const Size& rGrfSize,
const bool bLeft,
diff --git a/sw/source/core/text/txtfld.cxx b/sw/source/core/text/txtfld.cxx
index 6b2b93886..14e396869 100644
--- a/sw/source/core/text/txtfld.cxx
+++ b/sw/source/core/text/txtfld.cxx
@@ -52,6 +52,7 @@
#include <flddat.hxx>
#include <fmtautofmt.hxx>
#include <IDocumentSettingAccess.hxx>
+#include <sfx2/docfile.hxx>
#include <svl/itemiter.hxx>
static bool lcl_IsInBody( SwFrame const *pFrame )
@@ -478,8 +479,17 @@ SwNumberPortion *SwTextFormatter::NewNumberPortion( SwTextFormatInfo &rInf ) con
if( SVX_NUM_BITMAP == rNumFormat.GetNumberingType() )
{
+ OUString referer;
+ if (auto const sh1 = rInf.GetVsh()) {
+ if (auto const doc = sh1->GetDoc()) {
+ auto const sh2 = doc->GetPersist();
+ if (sh2 != nullptr && sh2->HasName()) {
+ referer = sh2->GetMedium()->GetName();
+ }
+ }
+ }
pRet = new SwGrfNumPortion( pTextNd->GetLabelFollowedBy(),
- rNumFormat.GetBrush(),
+ rNumFormat.GetBrush(), referer,
rNumFormat.GetGraphicOrientation(),
rNumFormat.GetGraphicSize(),
bLeft, bCenter, nMinDist,
diff --git a/sw/source/core/unocore/unosett.cxx b/sw/source/core/unocore/unosett.cxx
index f7376b936..218afbdd9 100644
--- a/sw/source/core/unocore/unosett.cxx
+++ b/sw/source/core/unocore/unosett.cxx
@@ -57,6 +57,7 @@
#include <vcl/font.hxx>
#include <editeng/flstitem.hxx>
#include <vcl/metric.hxx>
+#include <sfx2/docfile.hxx>
#include <svtools/ctrltool.hxx>
#include <vcl/svapp.hxx>
#include <toolkit/helper/vclunohelper.hxx>
@@ -1316,13 +1317,21 @@ uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetNumberingRuleByIndex(
SwStyleNameMapper::FillProgName(sValue, aUString, SwGetPoolIdFromName::TxtColl);
}
- return GetPropertiesForNumFormat(rFormat, CharStyleName, (pDocShell) ? & aUString : nullptr);
+ OUString referer;
+ if (pDoc != nullptr) {
+ auto const sh = pDoc->GetPersist();
+ if (sh != nullptr && sh->HasName()) {
+ referer = sh->GetMedium()->GetName();
+ }
+ }
+ return GetPropertiesForNumFormat(
+ rFormat, CharStyleName, pDocShell ? & aUString : nullptr, referer);
}
uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetPropertiesForNumFormat(
const SwNumFormat& rFormat, OUString const& rCharFormatName,
- OUString const*const pHeadingStyleName)
+ OUString const*const pHeadingStyleName, OUString const & referer)
{
bool bChapterNum = pHeadingStyleName != nullptr;
@@ -1454,7 +1463,7 @@ uno::Sequence<beans::PropertyValue> SwXNumberingRules::GetPropertiesForNumFormat
//graphicbitmap
const Graphic* pGraphic = nullptr;
if(pBrush )
- pGraphic = pBrush->GetGraphic();
+ pGraphic = pBrush->GetGraphic(referer);
if(pGraphic)
{
uno::Reference<awt::XBitmap> xBmp = VCLUnoHelper::CreateBitmap( pGraphic->GetBitmapEx() );
diff --git a/sw/source/uibase/config/StoredChapterNumbering.cxx b/sw/source/uibase/config/StoredChapterNumbering.cxx
index c575863f0..b972ec5ed 100644
--- a/sw/source/uibase/config/StoredChapterNumbering.cxx
+++ b/sw/source/uibase/config/StoredChapterNumbering.cxx
@@ -129,7 +129,7 @@ public:
OUString dummy; // pass in empty HeadingStyleName - can't import anyway
uno::Sequence<beans::PropertyValue> const ret(
SwXNumberingRules::GetPropertiesForNumFormat(
- *pNumFormat, *pCharStyleName, &dummy));
+ *pNumFormat, *pCharStyleName, &dummy, ""));
return uno::makeAny(ret);
}
Reference in a new issue Copy permalink